@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Add a rate limit to generating new account recovery links for a given account
Summary:
Depends on D20665. Ref T13343. We support CAPTCHAs on the "Forgot password?" flow, but not everyone configures them (or necessarily should, since ReCAPTCHA is a huge external dependency run by Google that requires you allow Google to execute JS on your domain) and the rate at which any reasonable user needs to take this action is very low.
Put a limit on the rate at which account recovery links may be generated for a particular account, so the worst case is a trickle of annoyance rather than a flood of nonsense.
Test Plan: {F6607794}
Reviewers: amckinley
Reviewed By: amckinley
Maniphest Tasks: T13343
Differential Revision: https://secure.phabricator.com/D20666
+29
+2
src/__phutil_library_map__.php
+2
src/__phutil_library_map__.php
···
2265
2265
'PhabricatorAuthDisableController' => 'applications/auth/controller/config/PhabricatorAuthDisableController.php',
2266
2266
'PhabricatorAuthDowngradeSessionController' => 'applications/auth/controller/PhabricatorAuthDowngradeSessionController.php',
2267
2267
'PhabricatorAuthEditController' => 'applications/auth/controller/config/PhabricatorAuthEditController.php',
2268
+
'PhabricatorAuthEmailLoginAction' => 'applications/auth/action/PhabricatorAuthEmailLoginAction.php',
2268
2269
'PhabricatorAuthEmailLoginMessageType' => 'applications/auth/message/PhabricatorAuthEmailLoginMessageType.php',
2269
2270
'PhabricatorAuthEmailSetPasswordMessageType' => 'applications/auth/message/PhabricatorAuthEmailSetPasswordMessageType.php',
2270
2271
'PhabricatorAuthFactor' => 'applications/auth/factor/PhabricatorAuthFactor.php',
···
8222
8223
'PhabricatorAuthDisableController' => 'PhabricatorAuthProviderConfigController',
8223
8224
'PhabricatorAuthDowngradeSessionController' => 'PhabricatorAuthController',
8224
8225
'PhabricatorAuthEditController' => 'PhabricatorAuthProviderConfigController',
8226
+
'PhabricatorAuthEmailLoginAction' => 'PhabricatorSystemAction',
8225
8227
'PhabricatorAuthEmailLoginMessageType' => 'PhabricatorAuthMessageType',
8226
8228
'PhabricatorAuthEmailSetPasswordMessageType' => 'PhabricatorAuthMessageType',
8227
8229
'PhabricatorAuthFactor' => 'Phobject',
+21
src/applications/auth/action/PhabricatorAuthEmailLoginAction.php
+21
src/applications/auth/action/PhabricatorAuthEmailLoginAction.php
···
1
+
<?php
2
+
3
+
final class PhabricatorAuthEmailLoginAction extends PhabricatorSystemAction {
4
+
5
+
const TYPECONST = 'mail.login';
6
+
7
+
public function getActionConstant() {
8
+
return self::TYPECONST;
9
+
}
10
+
11
+
public function getScoreThreshold() {
12
+
return 3 / phutil_units('1 hour in seconds');
13
+
}
14
+
15
+
public function getLimitExplanation() {
16
+
return pht(
17
+
'Too many account recovery email links have been sent to this account '.
18
+
'in a short period of time.');
19
+
}
20
+
21
+
}
+6
src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php
+6
src/applications/people/mail/PhabricatorPeopleEmailLoginMailEngine.php
···
34
34
}
35
35
36
36
$recipient = $this->getRecipient();
37
+
38
+
PhabricatorSystemActionEngine::willTakeAction(
39
+
array($recipient->getPHID()),
40
+
new PhabricatorAuthEmailLoginAction(),
41
+
1);
42
+
37
43
$engine = new PhabricatorAuthSessionEngine();
38
44
$login_uri = $engine->getOneTimeLoginURI(
39
45
$recipient,